HoverStash
Get HoverStash
Legal

Privacy Policy

Last updated April 2026

SummaryWe store the minimum needed to manage your licence and keep HoverStash running on your device: email, an opaque machine fingerprint hash, and payment history. Everything you drag or convert stays on your computer.

1. Who we are

This Privacy Policy explains how HoverStash (“HoverStash”, “we”, “us”, “our”) handles personal data when you use HoverStash.

We are the “data controller” for the purposes of UK GDPR and the Data Protection Act 2018. If you have any questions, email us at privacy@hoverstash.tech.

2. What data we collect

  • Account + licence data. Your email address, your licence key (stored in full so we can match activation attempts against it — displayed only in masked form in the dashboard UI, e.g. A1B2-•••-X9Y8), and a SHA-256 hash of your machine derived from the operating system, CPU architecture, CPU model string, and the platform's stable hardware identifier (IOPlatformUUID on macOS, MachineGuid on Windows, /etc/machine-id on Linux). The raw hardware identifier never leaves your device; only the one-way hash is sent to us so we can bind a Pro activation to the device you activated.
  • Payment data. Processed and stored entirely by Stripe, Inc. We receive a Stripe customer id and transaction metadata (amount, currency, date, country) so we can correlate purchases with licences and issue refunds. We also keep the raw Stripe webhook event payloads (which may include your email, name and billing country) for up to 90 days for dispute + chargeback resolution, then delete them.
  • Magic-link tokens. When you sign in to the dashboard we email you a single-use, 15-minute-TTL token. Only a SHA-256 hash of the raw token is ever stored — a leak of the database can't be replayed as a working sign-in link. Tokens are consumed on first click; the row is retained for up to 30 days as a security audit trail (to detect replay attempts) and then purged.
  • Session data. While you're signed in we store a session row with the IP address and user-agent of the browser you signed in from (truncated to 400 characters). This lets us show "signed in from" hints in your account and detect anomalous sessions.
  • Technical logs. Our server keeps rolling access logs for 30 days (IP address, user agent, request path) for security + abuse-prevention. These are auto-deleted after 30 days.
  • Feature requests + votes. If you submit a feature request from the dashboard we store the title, body and your customer id so we can attribute the submission for moderation and so you can find it again under "My feature requests". Your email is never shown publicly. If you tick "Submit anonymously", the public roadmap shows "Anonymous" instead of your account display name; admins can still see who submitted for moderation purposes. Your votes are stored as one row per (feature request, customer); the public roadmap shows aggregate counts only.
  • Bug reports. If you report a bug — either from the dashboard or from the desktop app — we store your customer id, the title and description you wrote, and (for app submissions) any optional context you explicitly opted into: system info, sanitised preferences, or a redacted log tail. Before storage we run an automatic redactor that replaces licence-key-shaped strings, email addresses, and absolute file paths (including your home directory) with [redacted] markers. Bug reports are private — they are never shown to other customers and never published. They are auto-deleted 90 days after submission unless we've marked them as "fixed" or "won't fix".
  • Desktop-app bug-report handoff. When you click "Report a bug" inside HoverStash desktop, the app sends the payload to a temporary staging row keyed to a one-time token, then opens this site in your browser so you can review and confirm before sending. Unconfirmed staging payloads are auto-deleted after 1 hour. Confirmed ones are kept for 7 days alongside the resulting bug report as an audit trail (so we can tell whether a bug-report row originated from the desktop or the dashboard) and then deleted.

We do not collect: file contents you drag or convert; filenames of anything stashed; analytics about how you use the desktop app; or any third-party tracking cookies. The bug report flow is opt-in per submission and you see exactly what will be sent before submitting.

3. Why we use it

Our lawful bases under UK GDPR Article 6:

  • Contract — to deliver the software you purchased, issue + validate your licence, and operate the update channel.
  • Legitimate interests — to prevent licence abuse (fraud, key-sharing beyond the 1-device policy) and to keep our servers secure.
  • Legal obligation — to keep invoices + VAT records as required by HMRC (6 years from the end of the accounting period).

4. Who we share it with

  • Stripe (US-based, UK-GDPR-compliant) — payments processor. See stripe.com/privacy.
  • Resend (US-based) — transactional email provider for magic links + receipts. See resend.com/legal/privacy-policy.
  • DigitalOcean (EU/US) — hosting infrastructure.
  • Keygen — licensing backend, self-hosted on our own DigitalOcean server in London (LON1). No third-party Keygen cloud involvement.

We do not sell your data. We do not share it with advertisers. We only disclose it to the processors above for the contractual purposes described, under written data-processing terms.

5. International transfers

Some processors (Stripe, Resend) are US-based. Transfers rely on the UK Addendum to the EU Standard Contractual Clauses plus the UK extension to the EU–US Data Privacy Framework where applicable.

6. How long we keep it

  • Licence + machine data: for the life of the licence + 2 years.
  • Invoices: 6 years (UK HMRC requirement).
  • Stripe webhook raw payloads: up to 90 days.
  • Access logs: 30 days.
  • Consumed magic-link token records: up to 30 days (hash only).
  • Unused magic-link tokens: 15 minutes (they expire automatically).
  • Customer session records: for the life of the session (sliding 30-day window on use) + kept up to 90 days after revocation as an audit trail.
  • Admin session records: 8-hour sliding window on use.
  • Feature requests + votes: kept for the life of the request. If you erase your account, your submissions become "Anonymous" but the request itself stays so the community knowledge is preserved; you can ask us to delete a specific submission entirely by emailing privacy@hoverstash.tech.
  • Bug reports: 90 days from submission while unresolved; kept indefinitely once marked "fixed" or "won't fix" as part of the shipping history (you can ask us to delete one specifically).
  • Desktop-app bug-report staging: 1 hour for unconfirmed payloads, 7 days for confirmed ones (kept alongside the resulting bug report as an audit trail).

7. Your rights

Under UK GDPR you have the right to:

  • Access a copy of the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data erased where we no longer need it (subject to HMRC record-keeping on invoices).
  • Restrict or object to certain processing.
  • Port your data to another controller.
  • Complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

You can download a full copy of your data any time by signing in at app.hoverstash.tech and clicking Download my data on the dashboard. For erasure requests or anything else, email privacy@hoverstash.tech and we'll respond within one month.

8. Cookies

We use a small set of first-party cookies; none are for advertising or analytics:

  • __Host-hs_customer on app.hoverstash.tech: your signed-in customer session. Set only after you complete a magic-link sign-in.
  • __Host-hs_admin on admin.hoverstash.tech: the operator session. Admin accounts are staff-only.
  • hoverstash_account on .hoverstash.tech: a non-sensitive hint cookie (value is always literally "1") that lets the marketing site header show "Your account" instead of "Sign in" when you already have a dashboard session. Contains no authentication material.

9. Security

All traffic is TLS 1.3. Session cookies are HttpOnly, Secure, and use the __Host- prefix which binds them to a single host and path. The admin cookie uses SameSite=Strict and the customer cookie uses SameSite=Lax (the customer cookie has to survive a top-level navigation from the magic-link email, which Strict would block). Admin passwords are hashed with argon2id and every admin account requires TOTP two-factor auth. Licence files at rest on your device are AES-256-GCM sealed against your machine fingerprint — copying the licence file to another machine fails to decrypt.

10. Changes

If we materially change how we handle data we'll update this page and email active licence holders. The "Last updated" date at the top of this document reflects the most recent revision.